MobileIron for Windows Phone 8

The newest platform for enterprise mobility is Windows Phone 8 from Microsoft and device manufacturers like Nokia, HTC, and Samsung. The Windows Phone platform is attractive to IT organizations for several reasons:

• Ability to easily repurpose existing Windows developers to build mobile apps
• Availability of Microsoft productivity tools like Office, SharePoint, and Lync
• Existing enterprise relationships with Microsoft
• Consistent operating system across the Windows Phone ecosystem

MobileIron has worked closely with Microsoft and several device manufacturers to provide the security and management capabilities required for organizations to add Windows Phone 8 to their approved device lists.

MobileIron provides enterprise security for Windows Phone 8:
• Certificates for establishing user and device identity for email and other apps
• Selective wipe to remove enterprise data and settings
• Enrollment and inventory management
• Creation and push of corporate security policies
• Access control for corporate email
• Management of external data stores (SD card lock)
• Password enforcement to protect device from unauthorized access
• Remote lock and wipe to protect data-at-rest on lost or stolen devices
• User authentication through AD/LDAP corporate directory credentials

Certificates are a foundation of today’s Mobile IT security model. MobileIron integrates with an enterprise’s existing Certificate Authority (CA) but also provides an on-board CA for organizations that do not have their own or cannot easily access it. Certificate provisioning and usage is transparent to end users, so native experience is preserved while security is strengthened.

App Management
One of the most attractive aspects of the Windows Phone 8 platform is the ability to leverage established Windows application development skills to build new mobile apps. Many large organizations have built up substantial Windows development teams over the last twenty years and would like to use those teams to accelerate their mobile apps initiatives.

MobileIron has the richest app management platform in the industry. For Windows Phone 8, the MobileIron Apps@Work enterprise app storefront will provide the ability to distribute internal apps to end users.

Enterprise Reporting
Business customers need access to information in order to make informed decisions. MobileIron provides reporting that includes items like: OS version, unique device ID, installed enterprise applications, configured policy values, device hardware information, and more.

Windows 8 RT
Windows 8 RT is Microsoft’s new ARM-based platform for tablets. It is designed to run Modern (Microsoft’s new user interface) applications only. MobileIron will initially support Windows 8 RT through traditional ActiveSync management policies, which will be a subset of the capabilities of MobileIron for Windows Phone 8.

MobileIron v5.1

This release includes the following functionality:
o GUI-based configuration for new iOS 6 policies
o Multi-User for iOS
o OS X support
o Enablement for new Android feature set*
o Basic SAML functionality for administrative login
o Fixes for more than 100 top customer-found defects
o Localization for end-user facing strings: Spanish (Latin Am), Portuguese (BR), Traditional Chinese
o Visual refresh

Atlas 1.2
This release includes the following functionality:
o Enhanced delegated admin
o Registration (role permission and workflow to register new devices)
o Audit log (all admin actions and registrations)
o Localization: Spanish (Latin Am), Portuguese (BR), Traditional Chinese
o Visual refresh

*VSP 5.1 provides enablement for several Android feature sets: Docs@Work, AppConnect, and Enterprise Android functionalities. These new Android capabilities require the new Android 5.1 app, which will be released in mid-November.

OS X Support
This release adds the following support for Mac OS X devices:
• Mac Book- (Late 2008/ Early 2009)
• Mac Book Pro
• Intel Core 2 Duo (2007/early 2008/ late 2008)
• Intel Core i5
• Intel Core i7
• Mac Book Air (2008/2009/2010/2011/2012)
• OS X Lion
• OS X Mountain Lion

• You can now register OS X devices.
• An OS X label has been added.

The following administrative actions are supported:
• Force Device Check-In
• Lock Device
• Wipe Device
• Retire Device
• The VSP can push the following configurations to OS X devices:
• passcode configurations (by means of security policies)
• POP and IMAP email configurations (by means of email app settings)
• Exchange configurations (Note that OS X synchronizes Contacts only, and ActiveSync is not supported)
• LDAP configurations
• CardDAV configurations
• CalDAV configurations
• VPN configurations
• Wi-Fi configurations
• certificate configurations
• SCEP configurations
• web clip configurations
• configuration profiles
• The VSP reports app inventory for OS X devices

Added Restrictions
MobileIron now supports the following iOS restrictions for iOS 6 devices:
• Allow iMessage*
• Allow Game Center*
• Allow Passbook notifications while locked
• Allow use of iBookstore*
• Allow iBookstore media that has been tagged as erotica*
• Allow shared photo streams
• Allow interactive installation of configuration profiles and certificates*
• Allow diagnostics data to be sent to Apple
* supervised devices only

MobileIron Docs@Work

Content is the lifeblood of the enterprise. When end users choose mobile as their preferred computing platform, they immediately need iPhone and iPad access to the documents that are essential for their work. In most large organizations, two of the main repositories of documents are enterprise email, with attachments, and Microsoft SharePoint.

The challenge for the Mobile IT team is to provide a great mobile user experience without sacrificing document security. MobileIron® Docs@Work gives the end user an intuitive way to access, store, and view documents from email and SharePoint and lets the administrator establish data loss prevention controls to protect these documents from unauthorized distribution. Employees can now take full advantage of the iPhone and iPad for secure enterprise content and collaboration.

Secure Content Hub
MobileIron Docs@Work creates a secure content hub on the iPhone or iPad for the end user to access and manage corporate documents:
- View documents
- Store documents securely on the device
- Protect data-at-rest with iOS Data Protection
- Selectively wipe documents when the user or device falls out of compliance
- Block clipboard (cut/copy/paste) access to enterprise content
- Control whether third-party apps can access stored documents
- Utilize policies, users, roles, groups, and permissions already set in MobileIron

Docs@Work support for Android is planned for a future release, as is the ability to provide policy-based controls for other trusted apps on the device to individually access secured documents.

Email Attachment Security
Apple’s native email app is the end user’s preferred email experience on iOS.
Historically, the high risk of email attachments being opened and then distributed to third-party doc and collaboration services has inhibited mass adoption of iOS by some regulated organizations.
MobileIron Docs@Work, together with the MobileIron Sentry intelligent gateway, is the first solution in the industry to secure email attachments for iOS without requiring a third-party email solution:
- Scan email traffic for attachments
- Filter attachments if necessary
- Protect attachments so only MobileIron Docs@Work can open them
- Block “open in” access to attachments in the native iOS email experience

SharePoint Access
SharePoint is the most common content repository and collaboration suite across MobileIron customers. MobileIron Docs@Work gives mobile users access to SharePoint content and gives administrators the ability to establish appropriate mobile policies for SharePoint.
For users:
- Connect securely to SharePoint from a mobile device
- Navigate SharePoint shares
- View remote files and folders
- Download content to the mobile device
For administrators:
- Centrally provision SharePoint access
- Pre-populate user names and directory paths for secure provisioning

- Protect corporate email attachments
- Provide secure access to SharePoint
MobileIron Docs@Work
- Keep corporate documents under enterprise control
- Prevent unauthorized distribution of email attachments into consumer services like Dropbox
- Secure the native email experience on iOS and eliminate the need to use third party email apps
- View and store SharePoint docs securely
- Prevent data loss by controlling cut/copy/paste
- Lower administrative costs through tight integration with existing enterprise infrastructure

MobileIron Docs@Work Datasheet
MobileIron Docs@Work White Paper

mobileEcho Android mobile file management/access (MFM)

Today, GroupLogic announced the release of mobilEcho 4.0.2, which includes the highly anticipated support for Android clients!

The mobilEcho 4.0.2 Server update and the mobilEcho for Android client app include:

• Secure file access to corporate file servers, NAS devices and Sharepoint from Android devices.
• Ability for Android users to access, browse, preview and edit files.
• Save files in the mobilEcho ‘My Files’ folder for offline file access.
• Enhanced management features to regulate app configuration, capabilities and security policies.

mobilEcho enables enterprise IT to provide their users with secure and managed access, via Active Directory authentication, to files and content residing on enterprise file servers, SharePoint and NAS storage, just as they
have from their laptop or desktop. mobilEcho ensures that the end-user has a simple, easy-to-use solution and that IT can implement the security and management capabilities required by their organization.

mobilEcho for Android provides enterprises an increased opportunity to expand the power of mobile computing for increased efficiency and productivity with the introduction of the Android Client app, all while making IT management simple, secure and more cost-effective.

Apple iMac/iOS management with MobileIron

MobileIron® is the leading Mobile IT platform for Bring Your Own Device (BYOD) programs.
MobileIron delivers enterprise-grade security and management for the Mac, enabling organizations to manage Mac computers along with mobile devices such as iPhones and iPads. MobileIron works with Apple tools and technologies to implement policies and profiles, easily and consistently, across the company while tightly integrating with enterprise services such as LDAP/Active Directory, Microsoft Exchange, Lotus Notes, PKI, VPN, and Apple Profile Manager. MobileIron preserves the native user experience of the Mac and allows end users to provision their Macs for enterprise services with just a few clicks.

MobileIron provides enterprise security for the Mac by enabling:
• Certificates to authenticate users, apps, and devices
• Minimum password requirements to protect device access
• Wi-Fi and VPN configurations to protect data-in-motion
• Configuration of e-mail, calendar, and contacts
• Custom configuration profiles
• Remote lock and wipe for lost or stolen computers
• Removal of enterprise provisioning information when retiring a Mac
Certificates are a foundation of MobileIron’s layered security model. MobileIron integrates with an enterprise’s existing Certificate Authority (CA) but also contains an on-board CA for organizations that do not have their own or cannot easily access it. Certificate provisioning and usage is transparent to end users, so native experience is preserved while security is strengthened.

MobileIron offers highly scalable, comprehensive management for the Mac. Mac computers can be administered from a single console alongside iOS and other enterprise platforms. MobileIron’s proven architecture streamlines operations for both the end user and the administrator:
• End user self-service, including simple, web-based registration, over-the-air provisioning, troubleshooting, and management with no app required
• Broad platform support for OS X v10.7 Lion, OS X v10.8 Mountain Lion, iOS 4, and iOS 5
• Configurable event triggers and automated remediation
• Single web-based console and delegated administration across operating systems
• Global scalability, inventory, and asset management

Enterprise Integration
MobileIron is tightly integrated with enterprise IT infrastructure such as Microsoft Exchange e-mail and LDAP directory services. Labels, users, roles, and permissions are synchronized between the enterprise and MobileIron, minimizing administrative efforts while providing secure, authenticated access to enterprise data.

New MobileIron VSP v5.0 & Sentry Standalone v4.0 Available

MobileIron is pleased to announce the release of the following available on September 24th.
- VSP 5.0
- Standalone Sentry 4.0
- iOS app 5.0

Additionally, MobileIron is introducing an enterprise class, high-end appliance to supplement the existing standard appliance. V5.0 provides support for this this new appliance. More information about the enterprise class appliance will be published soon.

VSP 5.0
This release includes the following functionality:
- Basic doc distribution (iOS)
- Email Attachment Control (iOS)

Sharepoint versions supported with Docs@Work
- Sharepoint 2007 with SP1 and later
- Sharepoint 2010

Increased scale
- Management of up to 100,000 devices on the new hardware platform
- Support for 3,000 concurrent app downloads
- Pushing iOS app install prompts at device registration
- Updating iOS voice and data roaming settings

iOS MobileIron Mobile@Work App 5.0
This release includes the following functionality:
- All new UI look and feel
- Docs@Work*: View documents stored in SharePoint and store locally for offline viewing
- Docs@Work*: View email attachments protected by MobileIron and store locally
- Removed App Storefront button for compliance with the App Store review guidelines

Standalone Sentry 4.0
This release includes:
- Docs@Work*: Email Attachment Encryption (iOS)

Docs@Work is a new product offering from MobileIron, that requires the purchase of a separate license. Please contact your sales rep for pricing and availability information.

In addition to purchasing the required licenses, customers wishing to use Docs@Work must upgrade to VSP v5.0, iOS app v5.0 and Sentry v4.0 in order to be able to use Docs@Work.
Full support for new features in V5.0 is highlighted here.

Security scanning
Qualys scans are mainly used for PCI Compliance and identifying vulnerable packages.

MobileIron have integrated Qualys PCI and Full Scanning into the development process.

What iOS 6 Means For the Enterprise

The widely anticipated iOS 6 release brings over 200 new features to supported iOS devices. These features include a new maps app, updated Siri features, VIP mailboxes, deep Facebook integration, Passbook, and many internationalization enhancements. iOS 6 ships with iPhone 5 and the 5th generation iPod touch, and is generally available for other select iOS devices as of September 19, 2012. While most of the new capabilities are consumer-focused, Mobile IT professionals will find a number of features valuable in the enterprise environment. This document provides an overview of enterprise capabilities new to iOS 6 and guidelines for implementation using MobileIron.

Feature Overview
The new enterprise-focused capabilities of iOS 6 include:
- Global HTTP proxy*
- Single-App Mode*
- Restrictions for Game Center*, iMessage, Passbook, iBookstore*, Shared photo streams
- Prohibiting users from manually installing configuration profiles*
- Disabling diagnostics submission to Apple
- PIM privacy settings

* Requires “supervision” by the Apple Configurator. See the Apple Configurator section later in this document for information on Configurator usage.

Global HTTP Proxy
HTTP proxies are useful for environments where web content filtering and auditing is required. In iOS 5, HTTP proxy support was limited to individual Wi-Fi and VPN connections. In iOS 6, an HTTP proxy can be applied globally to a device. Information Security professionals can now scan and filter web content even if the device is joined to any Wi-Fi network or cellular network.

When the Global HTTP Proxy setting is configured on iOS 6 device, HTTP traffic is routed to a proxy server that the IT admin specifies. If that server is not reachable for any reason, the apps on the device that use HTTP as a transport mechanism will not be able to send or receive data. Restricting this web traffic requires that apps use the native iOS networking APIs.

The Global HTTP Proxy can be enabled only on devices that were originally set up and supervised by Apple Configurator.

Single App Mode
When the Single-App Mode setting is enabled, only the app specified by the Mobile IT team can be run on the device. This is useful for kiosk-like deployments. For example, an iPad used only as a product catalog for a clothing retailer; an iPod touch with a hardware sled for barcode scanning and credit card swiping used as a point-of-sale device at an electronics retailer. These devices typically have a locked-down configuration, where the device should run only one app.

When Single-App Mode is enabled, the Home button and features such as taking a screenshot or receiving notifications are disabled. The device will return to the specified app automatically upon wake or restart.

Single-App Mode can be enabled only on devices that were originally set up and supervised by Apple Configurator.

Device Restrictions
iOS 6 introduces several device restrictions:
- Allow Game Center*. Disallow to remove the Game Center icon from the home screen.
- Allow use of iBookstore*. Disallow to disable the iBookstore on the device.
- Allow iBookstore erotica*. Disallow to prevent users from downloading media tagged as erotica from the iBookstore.
- Allow iMessage*. Disallow to remove the Messages icon from the home screen and prevent the device from receiving iMessages.
- Allow Passbook while locked. Disallow to prevent display of Passbook notifications on the lock screen.
- Allow Shared Photo Stream. Disallow to disable the ability to share photos with specified contacts and to receive updates for shared streams.
- Allow user configuration profile installation*. Disallow to prohibit the user from installing configuration profiles and certificates interactively.
- Allow automatic diagnostics submission. Apple uses diagnostics data to improve its products and services. If enabled, the device sends diagnostic and usage data daily to Apple, which may include location information. Additional info on diagnostics, including the Apple privacy policy, can be found in the iOS Settings app under General -> About -> Diagnostics & Usage.

* Requires devices that were originally set up and supervised by the Apple Configurator.

Privacy Settings
iOS 6 includes new privacy features that enable end-users to restrict third-party app access to user data and other services:
- Contacts
- Calendars
- Reminders (Tasks)
- Photos
- Bluetooth Sharing
- Twitter
- Facebook

Note that photos can contain location data.

Permissions can be set per service for each app that has requested access to the service. These settings are not available for remote management via MDM; however, Mobile IT staff can still recommend that end-users manually configure these permissions as needed for adherence to corporate security policy.

Alternatively, restrictions can be enforced at an app level. Consider using MobileIron AppControl rules to disallow apps that violate acceptable use policies, rather than attempting to manually provision privacy settings for the services themselves.

Apple Configurator and Supervision
Many of the iOS 6 enterprise capabilities require Apple Configurator “supervision”. Apple Configurator is a mass configuration tool that can be used to install a baseline configuration prior to MobileIron enrollment. This may include installing the latest version of iOS or settings for a Wi-Fi network used for MobileIron enrollment.

The “supervised” device attribute indicates the device will remain in direct control of the Mobile IT team and enables additional capabilities more applicable to corporate-liable deployments. This includes deployments for dedicated tasks (ex. field service deployments, retail point-of-sale devices), “loaner” devices used in hospitality and services, and devices shared among students in a classroom lab.

NOTE: When enabling supervision, Apple Configurator will erase all device data and return the device to factory defaults. Therefore, supervision is not an adequate option for BYOD programs, or other deployments where personal data must be preserved.

iOS 6 Hardware Support
The following devices can be updated to iOS 6:

iPad (3rd generation) Wi-Fi
iPad (3rd generation) Wi-Fi + Cellular (ATT)
iPad (3rd generation) Wi-Fi + Cellular (Verizon)
iPad 2 Wi-Fi (Rev A)
iPad 2 Wi-Fi
iPad 2 Wi-Fi + 3G (GSM)
iPad 2 Wi-Fi + 3G (CDMA)
iPhone 4S
iPhone 4 (GSM)
iPhone 4 (CDMA)
iPhone 3GS
iPod touch (4th generation)

In addition, iPhone 5 and iPod touch (5th generation), available in September 2012, will ship with iOS 6.

MobileIron is Ready
MobileIron welcomes these exciting new enhancements and believes they will accelerate momentum for Mobile
IT. Our current generally available release, MobileIron VSP v4.5.4, secures and manages newly registered iOS 6 devices, as well as existing devices under management that are updated to iOS 6.

The new iOS 6 capabilities mentioned in this document, excluding the privacy settings, can also be deployed and managed by MobileIron VSP v4.5.4. You can even use MobileIron for over-the-air management of settings requiring Configurator supervision. If devices are initially supervised using the Configurator, these settings can be later deployed and updated via MobileIron.